The subject of how information security impacts different industry sectors is an intriguing one. For example, how does the finance industry fare in terms of information security compared to the education sector, or the entertainment business? Are there some sectors that face greater cyber-threats and risks than others? Do some do a better job of keeping data secure, and if so, how and why?
The security risks surrounding industrial control systems (ICS) and operational technology (OT) have been a common topic of discussion across the security industry over the last few years, and recent SANS data will do little to allay fears that ICS and OT cybersecurity failings will lead to security incidents that could put both data and physical well-being in danger.
In a new survey of 348 security professionals representing IT, OT and hybrid IT-OT domains, SANS claimed that the cybersecurity risk of ICS and OT is at ‘critical levels,’ with more than half of respondents gauging the cyber-risks to their safe and reliable operations as high or higher than in past years.
Almost two-thirds of those polled (62%) stated that people are the greatest risk to cybersecurity compromise, followed by technology (22%) and processes and procedures (14%). What those findings show is that whilst people were noted as the biggest risk to the security of ICS and OT, threats are not limited to the human element of protecting data and technology is also failing to be effective.
Survey co-author and SANS senior analyst Barbara Filkins said: “The obvious concern about the risk that people represent – whether they are malicious insiders, careless employees or nation-state bad actors – is consistent across industries. We were a little surprised at the lower-ranking concern around process, given that there is significant complexity involved in ICS design, implementation and operation to safeguard OT systems. It’s possible recent attacks that almost always include tried-and-true tactics that exploit human-factors might have impacted our respondents’ perceptions.”
It appears that identifying connected assets and gaining visibility into device, network and control system integrity is a particular challenge for security pros: 45.5% of respondents stated that was a leading focus for their organization. SANS pointed to mobile devices (including those used remotely to augment and replace ICS workstations) and wireless communications solutions as contributors to overall risks and threat exposure.
Survey co-author and director of SANS Industrials & Infrastructure business portfolio Doug Wylie said: “We know from previous SANS research that the addition of ‘things’ and mobile devices to ICS represents significant risk,” said survey co-author and director of SANS Industrials & Infrastructure business portfolio Doug Wylie. “We see in our newest results that practitioners struggle mightily with how to offset these mounting challenges.”
Additional risks brought about by growing adoptions of and movement to cloud services also need to be addressed, according to SANS. Wylie added: “Hyperconnectivity and the rapid introduction of new technology within OT is providing tangible value, but the added complexity that comes with each continues to outpace the readiness of those tasked with safeguarding today’s systems from cyber-threats.”